Your Smart Home—It’s Connected, but Is It Safe?

Behold the home of the future: With the tap of your smartphone, your front door unlocks. As you enter, your lights come on and your integrated thermostat automatically adjusts the room temperature to your customized settings. When you go to the kitchen to get a snack, your refrigerator alerts you that it’s time to reorder milk. You press a button on the screen embedded in the door and your order is automatically placed for delivery before tomorrow’s breakfast.

In truth, these smart devices aren’t so futuristic—they are already providing convenience in people’s homes. They’re part of the Internet of Things (IoT)—a growing collection of everyday objects that are connected to the Internet and/or each other and that can send data back and forth. There are already 6 billion IoT devices in operation around the globe, according to research firm Gartner—a number that’s forecast to grow to over 20 billion by 2020.

With such a massive number of connected devices in homes, offices, stores and even hospitals, you’d think there would be systems in
place to ensure they remain highly secure. But you’d be wrong. There’s no universal security requirement for IoT devices. And even those that have some security built in aren’t always updated regularly, giving hackers ample time to find their way in.

“With the increasing number of devices connecting to each other and to the Internet, the number of vulnerabilities per device are also increasing,” warns Rekha Ramesh, Senior Vice President of IT and Digital for Daymon.

What’s the risk?

You might be wondering—what’s the risk of someone hacking into devices like DVRs, coffee makers and refrigerators? To date, the biggest risks have been to wider infrastructure as opposed to individual consumers. For example, in the fall of 2016, hackers coopted millions of IoT devices to launch a “botnet” attack against a major Internet registry provider. In doing so, the botnet took down major web sites across the East Coast, which impacted users across the U.S. for several hours. Online platforms such as Twitter, The New York Times, Spotify and other business-sanctioned tools such as Zendesk, Workday and Okta were impacted in the cyberattack.

Losing web connectivity for a few hours was more than a mere inconvenience. It was a sign of potentially more serious attacks to come, according to the U.S. Department of Homeland Security (DHS). In its recent Strategic Principles for the Internet of Things report, the DHS stated that the current IoT ecosystem “introduces risks that include malicious actors manipulating the flow of information to and from network-connected devices or tampering with devices themselves, which can lead to the theft of sensitive data and loss of consumer privacy.” Essentially, hackers could infiltrate IoT devices just like they can with unprotected computers to capture any information users send or have associated with those devices.

“Ninety percent of IoT devices collect at least one piece of personal information,” adds Ramesh. “Many of the devices transmit the information across networks without encryption. Worse still, most of those devices do not require complex passwords, allowing users to have weak or simple passwords for authentication—making it much easier for hackers.”

In practical terms, this means if your smart refrigerator is connected to your local grocer’s home delivery service, allowing you to make automatic orders that are charged directly to your credit card on file—your financial information, name, address and more could be at risk of an IoT attack. Or, if you use an IoT alarm system, the PIN that unlocks your front door could be stolen. And if those IoT devices are connected to the same network as your laptop, PC, smartphone or tablet, those devices and the information contained on them could also be at risk.

If that’s not concerning enough, the risks can be even greater for retailers, hospitals and other businesses and organizations using IoT devices for everything from managing power usage to tracking inventory to securing buildings. The DHS warns that attacks on these systems could lead not only to interruptions in business, but also potential disruptions to critical infrastructure.

Where does the average consumer stand?

A number of recent surveys and polls have shown that many consumers are growing increasingly aware of—and concerned about—security and
privacy risks associated with IoT. For example, according to technology trade group Mobile Ecosystem Forum, 62 percent of consumers around the world are concerned about lack of privacy with IoT, and 54 percent with the security risks. The same study showed the biggest concerns are centered on IoT home security systems, with 30 percent of consumers saying they would be leeriest of using these devices. Also concerning to consumers are IoT door locks, cars and TVs.

Do those concerns change consumers’ behavior? Surprisingly, they don’t. In a December 2016 poll conducted by Daymon, 69 percent of consumers said they were somewhat or very concerned about security hacks related to IoT devices, but over 75 percent of those taking the poll said they still use (or would use) them.

Sales of IoT devices support Daymon’s poll findings. For example, online giant Amazon cashed in big on IoT devices this past holiday season, selling millions of its Alexa-based Echo and Echo Dot devices (IoT-enabled speakers that allow users to play music, get news and information, control other smart home devices and more via voice command). From a broader global perspective, analytics firm IHS Markit estimates 4 billion IoT devices will be sold this year—and sales will continue to grow by 15 percent or more each year for the next 5 years.

Closing the gaps

Clearly IoT devices aren’t going away anytime soon. So what can be done to secure them? According to the DHS and other technology experts, much of the onus lies with manufacturers, who must strengthen and regularly update the software for their products to minimize security vulnerabilities. Retailers and other businesses who work with IoT device makers would do well to put pressure on manufacturers to follow stringent security protocols to protect their consumers and their reputations.

There are also steps IoT device users can take to help minimize the risks. For starters, users should always change the default passwords on IoT devices and other network components, like wireless routers, when they first come out of the box. (The widespread IoT attack that took down
websites across the Eastern U.S. was perpetrated by hackers targeting devices still using factory-set, default usernames and passwords.) It’s best to use passwords that are unique and hard to guess, like those with a combination of upper- and lowercase letters, numbers and special characters. For businesses, VPNs and encryption offer additional layers of protection.

Once devices are set up and in use, it’s critical to keep the software on them up-to-date. Some devices may offer automatic updates that require little effort. But for others, users may have to reach out the manufacturers to learn how to keep their devices secure.

Last but not least, “consumers should be aware of what information is being collected and the potential risks,” says Ramesh. Particularly for devices that don’t allow for complex passwords or other authentication, individuals and businesses must ask themselves whether the improved functionality or convenience warrants possible exposure of that information. For example, the benefit of controlling your thermostat from your phone may outweigh the risks of exposing your e-mail address. But exposing financial or other highly private information may be a whole different story.

Looking forward

“The IoT provides both amazing benefits and risks over the coming years,” concludes Ramesh. “However, in order to enjoy the benefits fully, we need to be effective in dealing with the risks around privacy and security.”

As more retailers, manufacturers and other organizations look to get into the IoT game, Ramesh emphasizes that “consumer privacy and security should be on top of the list priorities from the inception and planning stage through the life-cycle of the technology and devices. Consumer privacy and security protection practices should be adequately planned, executed and made transparent to consumers. Consumers should also keep up with the emerging technology and continually educate themselves about the risks around it.”